Sharing key to combating threats

Related Links

As awareness about the importance of sharing information about cyber and
physical threats grows following the Sept. 11 terrorist attacks, the General
Accounting Office last week released a report on the best practices of leading
organizations in the public and private sectors.

The report is in response to a request in May from Sen. Robert Bennett
(R-Utah), a key supporter of critical infrastructure protection issues and
an advocate for sharing cybersecurity information between the government
and private sector. Bennett and other members of Congress have introduced
bills this year to promote such sharing.

GAO reviewed 11 organizations, including the Centers for Disease Control
and Prevention, the Federal Computer Incident Response Center (FedCIRC),
the Joint Task Force-Computer Network Operations (JTF-CNO), and the North
American Electric Reliability Council. FedCIRC serves as the central warning,
analysis and response organization for civilian agencies, and the JTF-CNO
provides that service for the Defense Department.

All of these organizations form relationships with members to collect
information on security incidents, analyze potential future weaknesses and
issue alerts on vulnerabilities and attacks.

The GAO report, and past reviews in related areas, found that information
sharing and coordination are "central to producing comprehensive and practical
approaches and solutions to combating computer-based threats." But few agencies
have formed such mechanisms, and those that have are still working to become
entirely successful, according to GAO.

From their experience, GAO outlined several key success factors:

* Developing trust between participants over time through personal relationships.

* Establishing effective and secure communications.

* Getting the support of senior managers at member organizations on
the importance of sharing such potentially sensitive information.

* Ensuring continuity of leadership within the organization to maintain
focus.

* Providing identifiable benefits to keep members involved.

The most difficult challenge is organizations' natural reluctance to
share information on vulnerabilities, GAO reported.

This challenge can be immediately addressed through the development
of clear, written agreements on information usage and sharing, GAO wrote.
And that reluctance is reduced over time as members become more familiar
with one other and others' perspectives and pass on their positive experiences
to new members, according to the report.